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Abstract — The flight control system for the 
Boeing 777 airplane is a Fly-By-Wire (FBW) 
system. The FBW system must meet extremely 
high levels of functional integrity and 
availability. 


The heart of the FBW concept is the use of triple 
redundancy for all hardware resources: 
computing system, airplane electrical power, 
hydraulic power and communication path. 


The Primary Flight Computer (PFC) is the 
central computation element of the FBW 
system. The triple modular redundancy (TMR) 
concept also applies to the PFC architectural 
design. Further, the N—version dissimilarity 
issue is integrated to the TMR concept. The 
PFCs consist of three similar channels (of the 
same part number), and each channel contains 
three dissimilar computation lanes. The 777 
program design is to select the ARINC 629 bus 
as the communication media for the FBW. 
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1. INTRODUCTION 


The new technologies in avionics/flight systems 
selected for the 777 airplane are the electronic 
flight controls (FBW), the ARINC 629 bus, and 
the delayed maintenance concept for the major 
electronics Line Replaceable Units (LRUs): 
Primary Flight Computer (PFC), Air Data 
Inertial Reference System (ADIRS), and 
Airplane Information Management System 


(AIMS). This paper describes the PFC 
architectural design and its design 
considerations. 


The architecture of the 777 FBW system [1],[2] 
follows the earlier 7J7 design [3]. The 
Boeing-designed global DATAC bus [4], also 
known as the ARINC 629 data bus, is used to 
communicate among all computing systems for 
the flight control functions. Each DATAC bus is 
isolated, both physically and electrically, from 
the other two. The three DATAC buses are not 
synchronized. The control system performance 
under the autonomous and asynchronous 
DATAC bus operation has been studied [5]. 
These attributes of the autonomous and 
asynchronous DATAC concepts are compatible 
with the fundamental Boeing safety 
considerations for the FBW. 


The 777 FBW design philosophy for safety 
considers the following constraints: 1) common 
mode/common area faults, 2) separation of 
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FBW (LRU) components, 3) FBW functional 
separation, 4) dissimilarity, and 5) the FBW 
effect on the Structure. 


The Byzantine generals problem [6] defined as a 
result of the NASA sponsored multi-computer 
architecture for FBW [7],[8] is considered an 
attribute of the generic design fault [9] to be 
dealt with. Competing concepts for the 7 
Primary Flight Computer (PFC) architectures 
[10],[11] were studied for meeting the Boeing 
FBW design philosophy. Various research 
articles [12] (31,1141, [15] were also 
considered for the design consideration for the 
777 PFC architecture. 


The 7J7 PFC product development confirmed 
that the system engineering effort can be most 
effectively used to validate the correctness of 
the requirement specifications and the supplier 
top-level design requirements. Further, the 
N-—version software dissimilarity experiment at 
UCLA [16] and in the avionics industry led 
Boeing to the selection of the 
triple-dissimilarity for the PFC architecture in 
the processors and the associated processor 
interface hardware designs and dissimilar ADA 
compilers. 


Rigorous mathematical proof of algorithms to 
cope with the Byzantine generals problem is not 
possible for any triple redundant system [5]. 
The 777 PFC architectural design solutions to 
this type of problem consisted of two steps. 
Firstly, the flight controls ARINC 629 bus 
requirements [1] were developed, with which 
all systems connected to the flight controls 
ARINC 629 buses were mandated to comply. 
Secondly, the PFC, the central computing 
system of the FBW, was required to provide the 
redundancy management function to deal with 
the root causes of functional asymmetry and 
communication asymmetry. 


2. OUTLINE OF THE PRIMARY FLIGHT CONTROL 
FUNCTION 


The 777 FBW computers control electric and 
electrohydraulic actuators using electrically 
transmitted commands. The 777 FBW system 
provides manual and automatic control of the 
airplane in the pitch, roll and yaw axes. 


Pilot commands are input through conventional 
column, wheel and rudder pedal controls and 
are electrically transmitted and processed for 
application to the primary flight control surface 
PCUSs. Two elevators and a horizontal stabilizer 
are used for control in the pitch axis. Roll 
control is achieved with two ailerons and two 
flaperons, and is augmented with fourteen 
spoilers. The spoilers also provide speedbrake 
control. Yaw control is provided with a single, 
tabbed rudder. The primary flight control 
surfaces are illustrated in Figure 1. 


FBW Architecture Overview 


An overview of the FBW system is shown in 
Figure 2. The FBW architecture supports three 
modes of operation: Normal Mode, Secondary 
Mode and Direct Mode. "These modes are 
tabulated in Table 1. 


Pilot commands are input through conventional 
control columns, wheels, rudder pedals, and a 
speedbrake lever. Multiple position transducers 
mounted on each pilot controller sense the pilot 
commands for the Actuator Control Electronics 
units (ACEs). 


The ACEs convert the analog command signals - 
into digital form and transmit them to the PFCs 
via redundant ARINC 629 buses. The PFCs 
receive airplane inertial and air data from the 
ADIRU and SAARU. The PFCs use this data 
along with the pilot inputs to calculate control 


surface position commands. Surface 
commands are then transmitted to the ACEs via 
the ARINC 629 data buses. 
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Figure 1 777 Primary Flight Controls Surfaces 
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Figure 2 777 Primary Flight Control System Overview. 
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Table 1 


CONTROL 
C* Maneuver Cmd with Speed 
Feedback 

Manual Trim for Speed Variable Feel 
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CONTROL 
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DIRECT 
CONTROL 


The ACEs receive the digital PFC commands 
and convert them to analog commands. The 
ACEs use the analog commands to electrically 
control electrohydraulic actuators for control 
surface positioning. 


Variable feel is provided for the control column 
with two actuator-controlled feel units. Fixed 
feel is provided for the wheel and pedals using 
mechanical feel units. 


The Direct Mode is selected with a flight deck 
switch or as a result of the ACEs detecting 
invalid commands from the PFCs. In Direct 
Mode, the ACEs use the analog pilot controller 
transducer signals to generate the surface 
commands. 


The PFCs enter Secondary Mode when the 
availability of inertial or air data is insufficient 
or when the ACEs are in Direct Mode. 


FBW Forward Path Electronics LRUs: PFC 
and ACE 


The electronics for the FBW forward control 
path are implemented in two major LRUS, the 
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PFC and the ACE, connected by the flight 
controls data buses. 


Actuator Control Electronics (ACEs) 


Four ACEs provide the interface between the 
FBW analog domain (crew controllers, 
electrohydraulic actuators and electric 
actuators) and the FBW digital domain (digital 
data buses, PFCs, AFDCs, etc). The ACES 
provide excitation and demodulation of all 
position transducers and the servo loop closure 
for all flight control surface PCUs and the 
variable feel actuators. Each ACE contains 
three terminals which comply with the ARINC 
629 specification to communicate with the data 
buses. In Direct Mode, the ACEs do notrespond 
to commands on the digital data bus but instead 
provide simple analog control laws to command 
the surface actuators directly. Figure 3 shows 
the functions performed by the ACEs. Figure 4 
Shows the hydraulic power distribution for 
PCUs to which ACEs provide electrical control. 


Primary Flight Computers (PFCs) 


Three PFCs provide triple redundant 
computational channels for the primary flight 
control system. Each PFC receives data from all 
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Figure4 777 Primary Flight Controls Hydraulic / ACE Distribution 
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three flight controls data buses, but transmits 
only on its associated bus. Each PFC contains 
three internal computational lanes. Each lane 
interfaces with all three data buses using 
dedicated hardware. Each PFC channel 
contains three dissimilar processor lanes, and 
software from Ada source code using three 
different Ada compilers to provide triple 
dissimilarity. Each PFC lane includes three 
ARINC 629 terminals and bus couplers to 
communicate with the data buses. Each PFC 
lane contains its own microprocessor and power 
supply. The PFC channel architecture is shown 
in Figure 5. 


ARINC 629 Digital Data Bus 


The ARINC 629 data bus [4] is a time division 
multiplex system. It includes multiple 
transmitters with broadcast-type, autonomous 
terminal access. Up to 120 users may be 
connected together. The users communicate 
with the bus using a coupler and terminal as 
shown in Figure 6. ‘Terminal access is 
autonomous. Terminals listen to the bus and 
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Flight Controls ARINC 629 Data Buses 


wait for a quiet period before transmitting. Only 
one terminal is allowed to transmit at a time. 
After a terminal has transmitted, three different 
protocol timers are used to ensure that it does not 
transmit again until all of the other terminals 
have had a chance to transmit. 


Figure 6 shows the interconnection of two 
systems using ARINC 629. In this example, the 
ARINC 629 terminal controller and SIM are 
installed on a circuit board within each LRU. 
The SIM interfaces with the stub cable via a 
connector on the LRU. The stub cable is then 
coupled to the global data bus via a current mode 
coupler. 


A representation of the main internal logic and 
data flows within an ARINC 629 terminal 
controller is shown in Figure 7. Data enters 
through the demodulator and is checked for 
faults. The receiver circuitry monitors all 
incoming labels and determines which 
wordstrings are needed. The data needed by the 
the attached users is sent to the subsystem 
interface and to the users. 
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Figure5 Primary Flight Computer Channel Architecture 
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For the FBW application, the flight controls 
ARINC 629 bus requirements [1] were 
developed for all LRUs communicating on the 
flight controls ARINC 629 buses. These 
requirements consist of the following: 


(1) data bus availability requirements, 


(2) tolerance to error occurrences of 1 in E+8 
bits, 

(3) tolerance of aperiodic bus operation, 

(4) transmission requirements to provide 


indication of output data freshness and to 
not output split-frame data, and 


(5) a common CRC algorithm. 


The FBW forward path (ACE to/from PFC) 
signal monitoring concept is shown in Figure 8. 
Further additional design requirements are 
developed to deal with the communication 
asymmetry of the Byzantine general problem 
(as described in Section 4). 


3. FBW DESIGN CONSTRAINTS 


The 777 FBW design philosophy for safety 
considers the following constraints: 


(1) Common Mode/Common Area Faults 
(2) Separation of FBW Components 

(3) FBW Functional Separation 

(4) Dissimilarity 

(5) FBW Effect on Structure 


Common Mode/Common Area Faults 


Airplane susceptibility to common mode and 
common area damage is addressed by designing 
the systems to both component and functional 
separation requirements. This includes criteria 
for providing installations resistant to 
maintenance crew error or mishandling. 


The FBW design and installation has been 
developed with the following fault 
considerations (to name a few): 

— impact of objects 

— electrical faults 

— electrical power failure 

— electromagnetic environment 

— lightning strike 

— hydraulic failure 

— structural damage 


Separation of FBW Components 


The FBW design philosophy results in isolation 
and separation of redundant flight control 
elements including LRUSs, associated wiring 
and hydraulic lines to the greatest extent 
possible. This minimizes the possibility of loss 
of function due to common-mode or common 
area faults, and prevents failures of other 
systems from affecting the FBW operation. 


General system/airplane design decisions 
addressing common mode/common area faults 
include the following: 


(1) multiple equipment bays for redundant 
LRUs, 


(2) physical separation of redundant LRUs, 

(3) flight deck equipment and wiring 
separation and protection from foreign 
object collision, and 

(4) separation of electrical and hydraulic line 
routing through airplane structure. 


Functional Separation 

Electrical power is allocated to PFC and ACE 
LRUs to provide maximum physical and 
electrical separation between the Left (L), 
Center (C) and Right (R) flight controls 
electrical buses. 


The flight controls ARINC 629 bus functional 
allocation is aligned with electrical power 
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(L/C/R) allocation. Although PFCs and ACEs 
listen to all three ARINC 629 buses, only the 
LPFC (L ACE) may transmit onto the 
L ARINC 629 bus, the C PFC (C ACE) onto the 
C ARINC 629 bus and the R PFC (R ACE) onto 
the R ARINC 629 bus. This prevents an ARINC 
629 transmitter failure or a L/C/R electrical 
power failure from disrupting more than one 
ARINC 629 bus. 


ACE functional actuator control is distributed to 
maximize controllability in all axes after loss of 
function of any ACE or supporting subsystem. 


The hydraulic systems are also aligned with the 
actuator functions to provide maximum 
controllability after loss of hydraulic power in 
one or two systems. In general, the electronics 
components powered by the L/C/R flight 
control electrical bus controls the actuation 
components powered by the L/C/R hydraulic 
system, respectively. 

Dissimilarity 

Generic design faults/oversights have been 
studied for various flight critical systems [9]. 
Design errors can defeat redundancy strategies, 
and can even result in shutdown of multiple 
computer channels. Various combinations of 
dissimilar hardware, different component 
manufacturers, dissimilar — control/monitor 
functions, different hardware design teams, 
different software design teams, and different 
compilers are considered. 


An overview of the methods used to address the 
dissimilarity issue, in addition to the DO-178 
[17] development process and analysis and 
testing plan for each LRU, is summarized 
below: 


(1) PFC: 


— Dissimilar Microprocessor and 
Compilers (with Common software) 


(2) ACE: 


— Dissimilar Control and Monitor 


functions 
(3) Inertial Data: 
- Dissimilar ADIRU/SAARU 
(4) AFDC: 


— Dual Dissimilar hardware for Backdrive 
function 


— In-service experience 
(5) ARINC 629: 


— Development process 


— ACE Direct Mode which bypasses 
ARINC 629 


FBW Effect on Structure 


Failures in the FBW components which can 
result in oscillatory or hardover control surface 
motion may have an adverse effect on airplane 
structure. The structural requirements are 
analyzed and apportioned to all FBW 
components. 


4. 777 PFC ARCHITECTURE DESIGN 


The 777 program decision to use the ARINC 
629 global bus concept and the 777 FBW 
philosophy for fault isolation mandate the PFC 
architectural concept of asynchronous PFC 
channel operation. 


The PFC safety requirements are described 
herein, followed by the PFC design features 
pertinent to deal with the communication 
asymmetry and the functional asymmetry. 


PFC Safety Requirements 


Safety requirements apply to PFC failures 
which could preclude continued safe flight and 
landing, and include both passive failures (loss 
of function without significant immediate 
airplane transient) and active failures 


(malfunction with immediate 


airplane transient). 


significant 


The numerical probability requirements are 
both 1.0E-10 per flight hour for functional 
integrity requirements (relative to active 
failures affecting 777 airplane structure) and 
functional availability requirements (relative to 
passive failures). 


(1) The PFC should be designed to comply 
with the above numerical safety 
requirements for the 777 Nominal Mission 
for the following configurations: 


A. All PFC system lanes operational. 
B. Anysingle PFC lane inoperative. 

(2) The PFC should be designed to comply 
with the numerical functional availability 


of 1.0E-10 per autoland operation for the 
following system configurations: 


A. Any single PFC lane inoperative in 
one, two or all three PFCs. 
B. Anyone PFC inoperative. 


C. Any one PFC inoperative in 
combination with any single PFC lane 
inoperative in either or both of the 
remaining two PFCs. 


D. All PFC lanes operational. 


(3) The PFC should be designed to comply 
with the following non-numerical safety 


requirements: 

A. No single fault, including a 
common-mode hardware fault, 
regardless of probability of 
occurrence, should result in an 


erroneous (assumed active failures for 
the worst case) transmission of output 
signals without a failure indication. 


B. No single fault, including a 
common-mode hardware fault, 
regardless of probability of 
occurrence, should result in loss of 


function in more than one PFC. 


Triple-Triple Redundant PFC Architecture 


The Boeing 7J7 product development 
confirmed that the system engineering effort 
can be most effectively used to validate the 
correctness of the Boeing requirement 
specifications and the Supplier design 
specifications. The N--version software 
dissimilarity experiments in the Industry and at 
UCLA [16] reinforce the Boeing belief that 
dissimilarity needs to be judiciously used for the 
program risk reduction and will not be an 
altemate to the rigorous verification and 
validation analysis/testing activities. 


The microprocessors are considered to be the 
most complex hardware devices. The INTEL 
80486, Motorola 68040 and AMD 29050 
microprocessors were selected for the PFCs. 
The dissimilar microprocessors lead to 
dissimilar interface hardware circuitries and 
dissimilar ADA compilers. 


The selection of triple PFC channels and triple 
dissimilarity is a natural evolution of the FBW 
concept of using triple redundancy for all 
hardware resources: computing system, 
airplane electrical power, hydraulic power and 
communication path. 


The delayed maintenance concept mandates the 
fault tolerant PFC design comprising hot spare 
lanes beyond the PFC hardware resources 
necessary to meet safety requirements. The 
triple-triple redundancy provides hot spare 
hardware resources for both the FBW function 
and the automatic landing function. 


The three computing lanes in each PFC channel, 
with frame synchronization and data 
synchronization as described in next section, are 
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proved to produce outputs with tight command 
tracking. Thus, generic errors in compilers and 
potential microprocessor hardware interface 
deficiencies are detected during the 
development phase. 


PFC Design Features for PFC Hardware 
Resources Redundancy Management 


A typical PFC control path is depicted in 
Figure 9, and an overview of the PFC lane 
redundancy management is illustrated in 
Figure 10. 


The PFC hardware resources redundancy 
management, developed to comply with the 
flight controls ARINC 629 bus requirements 
and to meet the PFC safety requirements, 
consist of the following: 


— PFC inter-lane communication data bus 
within each PFC channel 


— Frame synchronous operation within each 
PFC channel 

— (Input) Data synchronous operation within 
each PFC channel 

- Median Value Select of PFC output 
commands: Channel Output Select 
function 


— PFC Cross-Channel Consolidation and 
Equalization 


— PFC extemal resources monitoring 


PFC Cross-Lane Data Bus 


In addition to the flight controls ARINC 629 
buses, a private data bus, not subjected to the 
normal and abnormal disturbances of the 
ARINC 629 buses by other LRUs, is necessary 
to provide the following functions: 


~ Frame synchronization within a PFC 
channel 


-  Datasynchronization within a PFC channel 


—  Cross-lane data transfer to complement 
other PFC redundancy management 
functions 


PFC Frame Synchronization 


The frame synchronous operation within a PFC 
channel is necessary to allow tighter cross—lane 
monitoring thresholds to ensure that the FBW 
system meets the 777 airplane structural 


requirements. The PFC is designed with a 
convergent (mid-point selection) frame 
synchronous scheme achieving a tight 


synchronization within a few microseconds. 


PFC Data Synchronization 


With a2 MHz ARINC 629 data bus, the transmit 
duration time is 20 microseconds for the 
shortest usable wordstring consisting of two 
words: one ARINC 629 label word and one data 
word. Since the PFC frame synchronization 
performance is well within 20 microseconds 
under PFC fault free conditions, PFC data 
synchronization is implemented to allow 
adjustment of one wordstring such that all lanes 
in a PFC channel are synchronized to the set of 
wordstring data that each lane will use at the 
beginning of each computation frame. Thus, all 
lanes within a PFC channel read the same set of 
data under fault free conditions. The data 
synchronization and the frame synchronization 
allow the tighter tracking between three lanes. 
Tighter thresholds for PFC output command 
monitoring are achieved in meeting all 
structural oscillatory requirements. 
Furthermore, the PFC input signal management 
and signal synthesis functions are designed to 
tolerate occasional PFC lane differences, due to 
mis-reception of a wordstring by a lane, without 
tripping the cross—lane monitor. 


Median Value Select of PFC Surface 
Commands 


Each PFC lane operates in two roles: command 
role or monitor role. Only one lane in each 
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Figure 9 PFC Redundancy Management Overview (Typical Control Path) 
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channel is allowed to be in command role. The 
command lane will send proposed surface 
commands to its ARINC 629 bus. 


A command lane will receive the proposed 
surface commands from two other PFC 
channels. The hardware device residing in the 
PFC lane will perform a median select of three 
inputs of each variable or discrete: two from 
other channels and one from its own. The output 
of the median select hardware is sent in the same 


. wordstring as the "selected" surface commands. 


The PFC lanes in the monitor role will perform a 
"selected output" monitoring of their command 
lane. The PFC command lane, meanwhile, 
performs the "selected output" monitoring of 
other two PFC channels. 


The median value select provides fault blocking 
against PFC faults until the completion of the 
fault detection and identification and 
reconfiguration via the PFC  cross-lane 
monitoring. The PFC command lane will be 
cross-lane inhibited via the cross-lane inhibit 
hardware logic. 


The PFC channel common-mode fault is 
detected by the cross-channel "selected output" 
monitoring function. A PFC channel will be 
cross-channel inhibited via the cross-channel 
inhibit hardware logic. 


PFC Cross—Channel Consolidation and 
Equalization 


Critical PFC discretes are consolidated and 
critical PFC variables are equalized between 
PFC channels to ensure that the asynchronous 
PFC channel operation are within the PFC 
channel tracking bounds (statistically 
analyzable from various simulation studies such 
as [5]). 


PFC External Resources Monitoring 


All LRUs transmitting on the flight controls 
ARINC 629 buses must meet the flight controls 
ARINC 629 bus requirements as described 
above. The PFC will monitor all error 
conditions detected per the the results of the 
CRC checking and the error detection by the 
ARINC 629 Terminal Controller. The 
monitoring result will be consolidated by the 
cross-lane consolidation via lanes' majority 
opinion with the aid of the private PFC data bus, 
and by the cross-channel consolidation via 
channels' majority opinion with the aid of the 
ARINC 629 buses. The detection of a marginal 
ARINC 629 transmitter, receiver or ARINC 629 
bus will be annunciated via the flight deck 
display. Flight crews are then required to issue 
appropriate flight squawks per the flight deck 
display and annunciation. 


3. SUMMARY 


The verification and validation activities for the 
777 PFC program have confirmed that the proof 
of correctness of the requirement and design 
specifications (not the subject of this paper) are 
necessary steps to ensure flight worthiness of 
the FBW. Further, a  multi-computer 
architecture capable of detecting generic errors 
(or differences) in compilers or in complex 
hardware devices provides assurance beyond 
reasonable doubt of the dependability of the 
FBW. 


The triple-triple redundant PFC architecture is 
a natural evolution of the triple redundancy for 
all hardware resources of the airplane flight 
controls. The PFC architecture contains one 
level of redundancy beyond that required to 
achieve the functional integrity for airplane 
dispatch. Consequently, repair of random 
hardware failures can be deferred to a 
convenient time and place, resulting in 
reduction of dispatch delays or cancellations. 
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